$30 off During Our Annual Pro Sale. View Details »

POC 2019 - HUNTING VULNERABILITY IN ANTIVIRUS PRODUCTS

Nafiez
November 12, 2019

POC 2019 - HUNTING VULNERABILITY IN ANTIVIRUS PRODUCTS

A presentation in Power of Community 2019 held in South Korea with topic hunting vulnerability in Antivirus products.

Nafiez

November 12, 2019
Tweet

More Decks by Nafiez

Other Decks in Research

Transcript

  1. REVISITING ANTIVIRUS VULNERABILITIES
    HUNTING
    VULNERABILITY IN
    ANTIVIRUS PRODUCTS

    View Slide

  2. ABOUT US!
    NAFIEZ
    An independent security
    researcher. Interested in
    vulnerability research and
    reverse engineering.
    JAAN YEH
    More than 10 years
    experienced in Antivirus field.
    Reverse engineering and
    exploit analysis.

    View Slide

  3. TABLE OF
    CONTENTS
    GENERAL
    DISCUSSIONS
    Technology, benefits and security
    perspective.
    WHAT MAKES THEM
    FAIL?
    Why it keep failing for many
    years?
    01
    03
    02
    04
    05
    VULNERABILITY
    HUNTING
    Hunting down and dive into AV
    vulnerability
    VULNERABILITY
    ANALYSIS &
    EXPLOITATION
    General discussion of our findings
    CONCLUSION
    Best defense is offense.

    View Slide

  4. PRIOR WORKS BY OTHER RESEARCHERS
    ● Alex Wheeler and Neel Mehta
    ○ https://www.blackhat.com/presentations/bh-europe-05/bh-eu-05-wheeler-mehta-up.pdf
    ● Feng Xue
    ○ https://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf
    ● MJ011
    ○ http://powerofcommunity.net/poc2010/mj0011.pdf
    ● Joxean Koret
    ○ http://joxeankoret.com/download/breaking_av_software_44con.pdf
    ● Tavis Ormandy
    ○ https://lock.cmpxchg8b.com/sophailv2.pdf
    ● Alexei Bulazel
    ○ https://i.blackhat.com/us-18/Thu-August-9/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Em
    ulator.pdf
    ● Wayne Low & Yang YongJian
    ○ https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/The%20Dawn%20of%20AV%20Self-Protection.pdf
    ● Buherator
    ○ https://github.com/v-p-b/kaspy_toolz/raw/master/S2_EUSKALHACK_Self-defenseless.pdf
    ● etc.

    View Slide

  5. GENERAL DISCUSSIONS
    01

    View Slide

  6. https://www.networkworld.com/article/2287721/the-evolution-of-antivirus-software.html

    View Slide

  7. THE EVOLUTION OF ANTIVIRUSES
    MALWARE
    Malware getting smart. Threat
    actors implement malware with
    0-days.
    TECHNOLOGY
    Machine Learning & Artificial
    Intelligence adapted in security.
    Vendors uses it to study malware.
    HUMAN
    Humans needs security in their daily
    life. Threats became smarter, that
    includes IoT.

    View Slide

  8. BENEFITS
    WEB PROTECTION
    ML / AI
    VIRUS & SPYWARE
    REMOVABLE DEVICE
    BEHAVIOR
    PC PERFORMANCE
    CLOUD
    PC PROTECTION PASSWORD
    E-MAIL
    FIREWALL
    PARENTAL CONTROL
    PHISHING
    ADS & SPAM

    View Slide

  9. EFFICIENCY
    CONSISTENCY
    PERFORMANCE
    RELIABILITY
    RELEVANCE
    COMPETENCE
    TRUST!

    View Slide

  10. https://www.av-test.org/typo3temp/avtestreports/print_total_distribution_10-years_en.png

    View Slide

  11. https://www.av-comparatives.org/tests/real-world-protection-test-jul-aug-2019-factsheet/

    View Slide

  12. https://www.virustotal.com/gui/file/09d10ae0f763e91982e1c276aad0b26a575840ad986b8f53553a4ea0a948200f/detection

    View Slide

  13. WHAT MAKES THEM FAIL?
    02

    View Slide

  14. https://www.technologyreview.com/s/428166/the-antivirus-era-is-over/

    View Slide

  15. THEORETICALLY, THEY STILL RELY ON …
    ANALYST
    They still require people to analyze
    samples.
    SIGNATURE
    Using signature-based detection.
    HEURISTIC
    Using heuristic-based detection.
    CLOUD
    Requires submission to their cloud
    program, collection information, etc.

    View Slide

  16. WHY?
    ENGINE
    Widely used AV engines by
    other products. Bigger attack
    surface. Some implement
    their engines but limited.
    AUDIT
    Vendors fail to securely audit
    their products. Too many
    products released leave
    many loopholes.
    VULNERABILITY
    Failure in detecting 0-day or
    unknown vulnerability. AV
    product itself contained
    unknown vulnerabilities.
    FEATURES
    Many features in one single
    product. These features are
    likely to be abuse.
    TRICKS
    It is relying on traditional
    detections. Thus, tricking the
    AV can lead to bypassing.

    View Slide

  17. WELL-KNOWN ISSUES
    5
    Unknow
    n
    Behavior
    4
    False
    Positive
    3
    Evasion
    (False
    Negative)
    Organization
    Control
    2
    1
    Delayed
    Database
    Update

    View Slide

  18. VULNERABILITY HUNTING
    03

    View Slide

  19. Archives
    Support various types
    of compression file
    archives
    Packer
    Support various
    packers including
    UPX, ASPack, etc.
    ATTACK SURFACE…
    CORE ANTIVIRUS
    Language
    Written in C / C++ / C# File Formats
    Support multiple
    formats, including
    word processing, PDF,
    etc.
    Scanners
    Various types,
    on-access, on-demand
    Features
    All in one product,
    featuring anti-rootkit,
    performance
    optimization, etc.
    Emulators
    Implementing
    emulators that
    supports emulating
    x86, etc.
    Engine
    Internal engine and
    external (sharing)
    engine
    Kernel
    Windows drivers
    including filter,
    network, etc.

    View Slide

  20. TYPES OF ATTACKS
    PERMISSION ISSUE
    Allow gaining the higher
    privilege of the system to
    fully control the target
    PRIVILEGE
    ESCALATION
    REMOTE BASED
    Achievable by tricking
    target or non-interaction
    code execution PARSERS &
    ARCHIVES
    BOMBING
    Uses old method by using
    archive bombing to delay
    scanning process or
    immediately kill the
    product (OOB, OOM, Stack
    / Buffer Overflow, NULL
    Pointer, etc.)
    Leveraging permission
    issue to achieve
    control/execution
    LOGIC BUGS
    Abusing features without
    actually relying on
    memory corruption issues
    DENIAL OF
    SERVICE
    Abusing the vulnerability
    via multiple ways such as
    kernel BSOD

    View Slide

  21. Now we know the attack surfaces, but how does it work?
    Let’s go back to basics…

    View Slide

  22. HUNTING - KERNEL DRIVER
    ● Understanding of Windows Internals
    ○ MSDN, Debugging, Userland, Kernel land, Traditional and (Virtualization) Modern architectures,
    etc.
    ● Understanding of Windows drivers
    ○ Windows Driver Model (WDM)
    ○ Windows Driver Frameworks (WDF)
    ● Basic driver structures
    ○ DriverEntry, Device Objects, IRP functions, IOCTL codes
    ● Various types of Windows kernel issue
    ○ IOCTL Handling, Insecure Permission, ACL Bypass, etc.

    View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. HUNTING #1 - KERNEL DRIVER - IOCTL

    View Slide

  27. HUNTING #1 - KERNEL DRIVER - IOCTL

    View Slide

  28. HUNTING #1 - KERNEL DRIVER - IOCTL
    ● Good examples of finding IOCTL via automated process
    ○ https://github.com/nccgroup/DriverBuddy
    ○ https://labs.f-secure.com/tools/win-driver-tool/
    ○ https://brundlelab.wordpress.com/2013/02/02/show-me-your-ioctlcodes/
    ● Please note that some of these automated tools can’t really find the exact IOCTL :)

    View Slide

  29. HUNTING #2 - KERNEL DRIVER - DEVICE PRIVILEGE
    “If a device object's FILE_DEVICE_SECURE_OPEN characteristic is set,
    the system applies the device object's security descriptor to all file
    open requests in the device's namespace. Drivers can set
    FILE_DEVICE_SECURE_OPEN when they create the device object with
    IoCreateDevice or IoCreateDeviceSecure.”
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/controlling-device-namespace-access

    View Slide

  30. HUNTING #2 - KERNEL DRIVER - DEVICE PRIVILEGE

    View Slide

  31. HUNTING #2 - KERNEL DRIVER - DEVICE PRIVILEGE

    View Slide

  32. HUNTING - NAMED PIPE
    ● One-way or duplex pipe for communication between the pipe server and one or more pipe clients
    ● Any process can access named pipes, subject to security checks, making named pipes an easy form of
    communication between processes.
    ● Service that can be abused, to gain privilege escalation and arbitrary code execution.
    ○ These days we see many named pipe abuse via WCF :)
    ● Named pipe has its own DACL and almost similar to file system permissions.
    ○ Perform an access check before granting access to the object
    ● For some case, it works via network
    ○ Could allow performing remote code execution too, which is a huge attack surface
    ● Developer can specify a security descriptor for a named pipe.
    ○ The security descriptor controls access to both client and server ends of the named pipe.
    ● MSDN has enough information to understand how it works.

    View Slide

  33. HUNTING #1 - NAMED PIPE

    View Slide

  34. HUNTING #1 - NAMED PIPE
    We found a backdoor function
    ¯\_(ツ)_/¯

    View Slide

  35. HUNTING #2 - NAMED PIPE
    ● A collision bug found by us and hyp3rlinx
    ○ It turns out he found it first and released
    the advisory.
    ● The issue is due to a NULL DACL (RW
    Everyone) resulting in a system scan Denial Of
    Service vulnerability for both of the endpoint
    protection programs.
    ● The named pipe is remotely accessible. Further
    investigation found the
    PIPE_REJECT_REMOTE_CLIENTS and
    FILE_FLAG_FIRST_PIPE_INSTANCE is not
    present.
    http://hyp3rlinx.altervista.org/advisories/CISCO-IMMUNET-AND-CISCO-AMP-FOR-ENDPOINTS-SYSTEM-SCAN-DENIAL-OF-SERVICE.txt

    View Slide

  36. HUNTING - INSECURE PERMISSIONS
    ● Access to files (securable objects) is regulated by the access-control model that governs access to all
    other securable objects in Windows.
    ● A security descriptor can be defined for a file and directory.
    ○ If sets NULL, file and directory will get a default security descriptor.
    ● Access Control Lists (ACL) in the default security descriptor for a file and directory are inherited from its
    parent directory.
    ● 3rd party software installation plays a big role to define its security descriptor.
    ● Abusing insecure permission sometimes lead to privilege escalation or even arbitrary code execution
    ● Plenty of areas that can be abuse including:
    ○ File system, Registry, Named Pipe, Driver, Services

    View Slide

  37. HUNTING #1 - INSECURE FOLDER PERMISSIONS

    View Slide

  38. HUNTING #2 - INSECURE REGISTRY
    PERMISSIONS

    View Slide

  39. HUNTING - LOGICAL BUGS
    ● Subverting the programmer’s original logic rather than abusing unintended behavior
    ● Logical bugs usually lead to privilege escalation
    ○ Everything is about Windows Privileges
    ○ Complex + Hard to fix
    ● It consistx of various bug class list including
    ○ File path abuse, Impersonation, Insecure Kernel Resource Access and COM
    ● Hunting logical bugs in AV is quite trivial, especially on file path abuse
    ○ Elevation of Privilege
    ○ Arbitrary file write
    ○ Arbitrary file delete
    ● For some cases, folder permissions granted to “Everyone”, but the folder is protected by another
    process of AV (self-defense mechanism).

    View Slide

  40. HUNTING #1 - LOGICAL BUGS
    https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf

    View Slide

  41. HUNTING #1 - LOGICAL BUGS (FILE OPERATION)

    View Slide

  42. HUNTING - DLL PLANTING
    ● Application can control the location from which a DLL is loaded
    ○ Either specify a full path or using another mechanism such as manifest
    ● If application load DLL without the full path, Windows attempts to locate the DLL by searching a
    well-defined set of directories in an order known as DLL Search Order
    ● DLL Planting vulnerability required less effort and easy to get persistence
    ○ DllMain() function very easy to gets executed when DLL gets loaded
    ● There are three known categories of DLL planting
    ○ Application Directory (App Dir) DLL planting
    ○ Current Working Directory (CWD) DLL planting
    ○ PATH Directories DLL planting
    ● Please note that not all DLL is loaded

    View Slide

  43. HUNTING - DLL PLANTING

    View Slide

  44. HUNTING - DLL PLANTING

    View Slide

  45. HUNTING - ENGINE & PARSERS
    ● The most complex components
    ○ No source code, thus, requires reverse engineering
    ● Antivirus engine supports various types of parsers
    ○ Executables, documents, archives, packers, media files, etc.
    ● The engine contains emulators to support too
    ○ Unpacking, decompression, etc.
    ● Most of the parsers are standard in parsing file formats, decompressing, unpacking, etc.
    ○ Some customize but the way it works is still the same
    ● Fuzzing is an efficient way
    ○ Then jump to reverse engineering process
    ○ If you’re lucky enough, the target might have proper symbols :)
    ● Matalaz mentioned in his book (The Antivirus Handbook), Linux is the best choice to fuzz AV
    ○ No sandbox / protection like in Windows

    View Slide

  46. HUNTING - ENGINE & PARSERS
    INCONSISTENT CHECKS
    Perform testing on multiple
    checks, e.g. are packed
    samples valid
    UNTRUSTED INPUT
    Check for various types of
    input, e.g. logs, files,
    signatures, etc.
    ALLOCATION
    Look for calculation length,
    magic value, e.g. check for
    archives calculation
    length/allocation
    File Size
    Testing file size, including
    archives, e.g. check parser
    capability parsing large file
    size
    ERROR PRONE FORMATS
    Examine sign and any
    calculations, e.g. 32-bit
    fields
    TO-DO LIST

    View Slide

  47. HUNTING - ENGINE & PARSERS

    View Slide

  48. ZIP Initialization Parser XML File Parser

    View Slide

  49. HUNTING - UNQUOTED SERVICE
    ● Product uses a search path that contains an unquoted element, in which the element contains
    whitespace or other separators
    ● Mostly happened on Windows Services
    ○ Misconfiguration of path binary services
    ○ Unquoted and contain spaces
    ● Operating System attempt to run a program from the path ending at the first space character and so on
    ● Does not indicate as a vulnerability since it only works via Admin mode
    ○ Useful for persistency maybe?

    View Slide

  50. HUNTING - UNQUOTED SERVICE
    c:\program.exe files\sub dir\program name
    c:\program files\sub.exe dir\program name
    c:\program files\sub dir\program.exe name

    View Slide

  51. View Slide

  52. HUNTING - MISCELLANEOUS
    SIGNATURE UPDATES
    The signature updates
    sometimes use
    non-encrypted traffic.
    Some were easily
    MITM and fake the
    original download.
    Arbitrary code
    execution achievable
    via download update
    when extracting
    signature.
    ADDITIONAL
    FEATURES
    These days AVs come
    with additional
    features. As an
    example, AVs bundle
    with WiFi protection,
    IoT, Performance
    Testing, etc. and the
    features can be abused
    differently.
    WEB
    PROTECTION
    AV vendor tends to
    protect users while
    surfing banking or
    shopping websites. In
    some cases, web
    protection does not
    stop web spoofing or
    even 1-day browser
    exploit.
    WCF
    ENDPOINTS
    WCF is runtime and a
    set of APIs in the .NET
    Framework for building
    connected,
    service-oriented
    applications. These
    days AV components
    implemented with .NET
    and use WCF. In some
    cases, it is trivial to find
    vulnerabilities in WCF.
    COMMAND-LI
    NE BASED
    AV sometimes uses a
    command-line or
    include it as part of
    scanning activity. In
    most cases, it is
    written in C/C++. The
    command sometimes
    defines with buffer and
    quite trivial to spot
    some issue from there.

    View Slide

  53. HUNTING - MISCELLANEOUS
    SELF-PROTECTION
    MECHANISM
    Self-protection
    mechanisms mostly
    implemented in
    popular AV products.
    Many reason vendors
    are implementing it,
    including protecting its
    services, components,
    and file path. However,
    this mechanism can be
    easily disabled via
    multiple ways, registry
    or even IPC.
    AUTHENTICODE
    Authenticode usually
    implemented as part of
    the engine and the
    purpose is to detect the
    validation. Some vendor
    optimizes its parser to
    prevent bugs. The more
    it parses, the more bug
    can be found. Useful
    combining reverse
    engineering and fuzzing.
    WEB
    INTERFACE
    For large scale used of
    AV, it uses web
    application to interact
    between the client and
    server. It uses the
    standard web
    mechanism.
    LOG &
    CONFIGURATI
    ON FILES
    Log and configuration
    files sometimes
    containing useful
    information such as
    username, password,
    and some sensitive
    information.
    PROCESS
    TAMPERING
    AV uses
    service/process to
    work on a different
    task. Tampering the
    AV processes could
    lead to an arbitrary
    execution. This can be
    done in many ways
    such as process
    hollowing, thread
    injection, etc.

    View Slide

  54. LONG-TERM HUNTING
    REVERSE ENGINEERING
    An effort of reversing the AV components
    could lead to many paths that might
    indicate as a bug. However, there’s some
    limitation such symbols. Binary diffing
    could help to play around with.
    AUDITING
    Keep up to AV technology. Vendors slowly
    moving to new technology such as
    sandboxing, self-protection, anti-tampering,
    etc.
    FUZZING
    Many components can be fuzz including
    engine, parsers, command-line, etc.
    03
    01 02

    View Slide

  55. FUZZING - CORPUS & HARNESS
    ● Understanding of the target file format
    ● Corkami provides many inputs on various file
    formats
    ● Using Google search engine for file type(s)
    ● Test cases from Github / Gitlab
    ○ Test case from others (e.g. Project
    Zero, etc.)

    View Slide

  56. DISCLOSURE
    RESPONSIBLE

    View Slide

  57. WE READ EULA TOO

    View Slide

  58. WE FOLLOW THE STANDARD
    RESPONSIBLE DISCLOSURE
    45 DAYS
    We do follow the standard
    CERT/CC. CERT will help to
    coordinate with vendors.
    Failure to cooperate resulting
    in full disclosure.
    90 DAYS
    We follow 90 days standard of
    Google P0 when writing an
    email. Usually, vendors will ack
    and update us.

    View Slide

  59. DAYS
    In some cases, we respect
    vendors’ decision on the fix
    availability. 0-DAYS
    When other researchers found
    the same bug and published in
    a time we report it LOL~
    CONTINUE…

    View Slide

  60. WE REPORTED TO
    VENDORS…

    View Slide

  61. THEY DENY

    View Slide

  62. THEY IGNORE

    View Slide

  63. WE DROP 0-DAY…

    View Slide

  64. SOME COOPERATING...

    View Slide

  65. WE RESPECT THEM TO NOT DISCLOSE
    ANYTHING UNTIL THEY FIX IT :)

    View Slide

  66. VULNERABILITY
    ANALYSIS &
    EXPLOITATION
    04

    View Slide

  67. VULNERABILITIES STATISTICS

    View Slide

  68. VULNERABILITIES AND EXPLOITATION
    ● Low-hanging fruit vulnerability types still exist
    ● Windows 10 introduced many security mechanisms
    ○ That doesn’t stop the exploitation for the Antivirus
    ● We don’t have to worry about the exploitation when it comes to logical bugs :)
    ○ No ASLR, CFG, DEP, etc. required
    ● Memory corruption based issue was still the most in the kernel
    ○ For some exploits, we don’t have to waste time writing it
    ● Vendors “used” other vendors’ components
    ○ Driver, Signature, Engine, etc.
    ○ We can say it is worth to look into, you might achieve multiPWNvendor
    ● The more products you look into, the more you will understand how it works

    View Slide

  69. THE TARGET…

    View Slide

  70. COUNTRY ORIGIN

    View Slide

  71. At this point, we still
    triaging findings and
    working with vendors...

    View Slide

  72. View Slide

  73. KYROL INTERNET SECURITY 2015
    CASE STUDY #1

    View Slide

  74. DISCLOSURE
    ● We raised the issue to vendor (reporting 1 issue only) on a various channel and this dragged on for
    many months, but no luck.
    ● We figure out their customers are the government agencies in Malaysia.
    ● We sought advice from friends in the local community (that has link to the government).
    ● National Cyber Security Agency (NACSA) Malaysia treat this seriously. We told them we’ll be disclosing
    the issue to the public.
    ○ Report provided to NACSA
    ● We have to sit for a video conference twice with the government, once with the vendor to present our
    findings. We presented 12 findings to them LOL~
    ● It turns out that they had to re-engineer everything¯\_(ツ)_/¯

    View Slide

  75. VULNERABILITY #1 - IOCTL HANDLING
    ● Driver ‘kyrld.sys’ implementation is implemented with unsafe method
    ● The IOCTL method (METHOD_NEITHER) implemented are outdated and always prone to vulnerabilities
    ○ Microsoft has mentioned this for many years
    ■ https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/using-neither-buffered-nor-direct-i-o
    ● The vulnerability itself is failed to restrict the buffer send to the vulnerable IOCTL. There are two vulnerable
    IOCTL:
    ○ 0x9C402401 - Stack Overflow
    ○ 0x9C402405 - Invalid Kernel Pointer
    ● However, only read primitives are allowed.

    View Slide

  76. IOCTL DISPATCH

    View Slide

  77. THE POC

    View Slide

  78. Continue

    View Slide

  79. CONTINUE

    View Slide

  80. VULNERABILITY #2 - INFORMATION DISCLOSURE
    ● Log upload policies use an insecure transport protocol by sending information in plaintext.
    ○ It is found that the global update is transmitted via plaintext.
    ● Attacker could setup MITM or create a fake server and tap into information sent in the traffic.
    ● It sends the computer information as plaintext
    ○ Installed files, etc.
    ● We did some reverse engineering on their binary to look for server checking (e.g. certificate, etc.).
    ○ We realized that there is no further checking on uploading information to its centralized server.

    View Slide

  81. THE POC

    View Slide

  82. VULNERABILITY #3 - MEMORY CORRUPTION
    ● We modified a UPX packed sample
    ○ Change only 2-bytes
    ● We scanned the modified file and figure out the AV service stopped and crash.
    ● We decided to perform some fuzzing on the target
    ○ We did dumb fuzzing and found many bugs
    ○ Various file formats, packers (some samples “borrow” from Project Zero :) )
    ● We found another interesting bug where the scanning activity keeps looping on the scanned file LOL~
    ○ We let the scan to run for 12 hours and it keeps scanning that file xD

    View Slide

  83. VULNERABILITY #3 - THE POC
    We modified the original bits to 0xFF

    View Slide

  84. VULNERABILITY #3 - THE CRASH

    View Slide

  85. ● We found out that Kyrol Internet Security uses super
    outdated components.
    ● These components are from
    ○ MSecure Data Labs (2012)
    ■ Driver, GUI and Service
    ○ IKARUS Security Software (2009)
    ■ Engine and Updates
    ● There’s so many to talk about but we’ll release the rest
    of the vulnerability in blog after they release new version
    THE FACTS

    View Slide

  86. TOTAL DEFENSE ANTIVIRUS
    CASE STUDY #2

    View Slide

  87. DISCLOSURE
    ● We raised an issue with the vendor via the official support channel (email).
    ● We sent multiple emails only to be asked if we were paying customers, this annoyed us greatly.
    ● We decided to report to CERT / CC.
    ● CERT / CC helped us contact / coordinate to vendor.
    ○ They failed miserably too, LOL~
    ○ Vendor seems to be poor in communication
    ● CERT / CC advise us to go full disclosure
    ○ We were assigned to CVE-2019-15512
    ● We’re not sure if this still an issue (or 0-day)

    View Slide

  88. VULNERABILITY #1 - ELEVATION OF PRIVILEGE
    ● Total Defense Common Scheduler Service is prone to file abuse operations that run as privilege
    processes on Windows.
    ● The log file is created, accessed and manipulated with SYSTEM privileges.
    ○ C:\ProgramData\TotalDefense\Consumer\ISS\9\ccschedulersvc\ccschedulersvc.log
    ● We find out the folder log has permissive access rights that allow unprivileged users to perform read,
    write and modification.
    ○ The permission was set to “Everyone” group
    ● In this case the bug itself is a logic vulnerability
    ○ We don’t have to worry about ASLR, etc.

    View Slide

  89. https://offsec.provadys.com/images/intro-to-file-operation-abuse-on-Windows/product_x_exploit_symlink.png
    VULNERABILITY #1 - ATTACK VECTOR

    View Slide

  90. VULNERABILITY #1 - THE POC (STEPS)
    ● Delete all files in
    ○ "C:\ProgramData\TotalDefense\Consumer\ISS\9\ccschedulersvc\"
    ● Create a pseudo-symlink named
    ○ "C:\ProgramData\TotalDefense\Consumer\ISS\9\ccschedulersvc\ccschedulersvc.log" that points
    to "C:\Windows\System32\test.dll"
    ● The scheduler service can be restart or wait until the computer gets rebooted. Once rebooted /
    restarted, it should an create arbitrary file on "C:\Windows\System32\" folder
    ● We could use Diaghub to inject DLL so that we can have code execution

    View Slide

  91. VULNERABILITY #1 - EXPLOITATION
    1
    2
    3

    View Slide

  92. eScan Antivirus
    CASE STUDY #3

    View Slide

  93. DISCLOSURE
    ● We raised an issue to the vendor via support channel (email).
    ○ Their support replies first and tried to dispute our findings.
    ● Someone from the research team steps in to take care of the issue.
    ○ This team seems to understand what is trying to deliver.
    ● Within a few days of communication, our first bug gets fixed.
    ○ Then the second bug took them a bit longer to address.
    ● Pending update from the vendor. We disclose this to the public :)

    View Slide

  94. VULNERABILITY #1 - PRIVILEGE ESCALATION
    ● eScan installation directory are given permission "Everyone (F)" to full permission
    ● Although the permission is “Everyone (F)”, it is “well” protected by self-defense protection
    ○ Protected via registry
    ● There’s a way we can disable the self-defense protection
    ● Once disabled, we can create or modify files in the installed folder
    ○ We found out the AV does not verify if it is a legitimate binary or not
    ● We crafted a simple DLL that pops-up notepad replacing “eslogon.dll”
    ○ Resulting SYSTEM privilege

    View Slide

  95. VULNERABILITY #1 - ROOT CAUSE

    View Slide

  96. VULNERABILITY #1 - DISSECTING THE PROTECTION
    ● eScan AV uses self-protection to protect its files
    ○ This is the reason they left the folder permission to “Everyone” LOL~
    ● The registry value gets updated via the “escanmon.exe” process.
    ● “Escanmon.exe” responsible for self-protection, this includes all features in the AV such as Firewall.
    ● Since registry modification requires Admin privilege, we could simply use the “escanmon.exe” UI
    console to disable the protection.
    ○ This helps us to bypass the Admin privilege to modify the registry key :)
    ○ We could use different way, but this one is a bit easier ;)
    ● Registry value
    ○ HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\MicroWorld\eConceal\eConceal
    Firewall\Common
    ■ ProPause = 0 ← default value (self-protection enable)

    View Slide

  97. View Slide

  98. VULNERABILITY #1 - EXPLOITATION

    View Slide

  99. ZoneAlarm
    CASE STUDY #4

    View Slide

  100. DISCLOSURE
    ● We raised an issue to the vendor via support channel (chat).
    ○ Their support sends us an email address to report the issue.
    ● ZoneAlarm takes security report seriously
    ○ It turns out their Head of Technologies approaching us via email
    ● ZoneAlarm updating us on the matter, explaining the issue that we found
    ○ They understand we report the issue is a valid issue however it did not meet their bar to fix.
    ○ We were told that not much information being disclosed here.
    ● We’re not sure if this still issue exists or not

    View Slide

  101. VULNERABILITY #1 - INFORMATION DISCLOSURE
    ● ZoneAlarm Antivirus + Firewall found to store locally the firewall, OS and pra-Alerts log.
    ○ fwalerts.zonealarm.com
    ○ osalerts.zonealarm.com
    ○ pralerts.zonealarm.com
    ● The log contained a URL that belongs to each of the alerts happened on the users PC
    ○ We check the URL in browser and find out the log is stored on the server-side and accessible by
    public.
    ○ It does not support SSL (encryption layer) and the web parameter is hardcoded in GET requests.

    View Slide

  102. ● The log
    VULNERABILITY #1 - INFORMATION DISCLOSURE

    View Slide

  103. ● Open in browser
    VULNERABILITY #1 - INFORMATION DISCLOSURE

    View Slide

  104. URL from log:
    - http://fwalerts.zonealarm.com/fwalerts/fwanalyze.jsp?V103=AXOElQktIGxFN/kAAD36AAABAAA
    AAQAAAAEAAAABAAAAooYBADAxMDIJBAIABwAAAQAaAgAAAAAAAAACAAAA//8Q+ZLN21315352621518-1043,
    ,,,Windows+10+x64-10.0.18362--SP,15.6.104.18071,ExtBlockAll2,kgef252mx9neega7nv958t26
    t80,2,,&CL=en&OEM=1043&SKU=8&Mode=0&Product=ZoneAlarm+Anti-virus
    URL after redirect:
    - http://fwalerts.zonealarm.com/fwanalyze.jsp?record=ZLN21315352621518-1043/40f3ca7016c
    0ef3814a06adb&tab=overview
    ● URL redirected
    ● If we look into the after redirect URL, we can see it will remain to show the value of “ZLN<14 digits>”.
    After playing around with the value, we figure out we can see other people logs too. We randomly
    generated “ZLN<14-digits>” value along with Base64 value.
    ○ http://fwalerts.zonealarm.com/fwalerts/fwanalyze.jsp?V103=>ZLN<14_digits_random_value>-1033
    VULNERABILITY #1 - INFORMATION DISCLOSURE

    View Slide

  105. VULNERABILITY #1 - THE POC
    ● We crafted a proof-of-concept in dumb-way
    ● The chance of success is low but it’s still there
    Generate 14 random digits:
    >>> import random
    >>> random.randint(00000000000000,99999999999999)
    31684752113453L
    Generate random chars:
    >>> ''.join(random.choice('0123456789ABCDEF') for i in range(89))
    '5AE6FDF7A6FD62981C9DEC99D8F763FE6DA85312641700347AAE0A9FB01FAC88CD19E8C572521D197E0472C13'
    Finalize URL:
    - http://fwalerts.zonealarm.com/fwalerts/fwanalyze.jsp?V103=5AE6FDF7A6FD62981C9DEC99D8F763F
    E6DA85312641700347AAE0A9FB01FAC88CD19E8C572521D197E0472C13+ZLN31684752113453-1033

    View Slide

  106. VULNERABILITY #1 - THE POC

    View Slide

  107. VULNERABILITY #1 - INFORMATION DISCLOSURE
    ● Information we found disclosed
    ○ Source IP address
    ○ Destination IP address
    ○ TCP Flags
    ○ Transport Layer Protocol
    ○ Protocol Specific Type
    ○ Alert Date
    ○ Alert Count
    ○ Operating System

    View Slide

  108. VULNERABILITY #1 - INFORMATION DISCLOSURE

    View Slide

  109. TREND MICRO PAY GUARD
    CASE STUDY #5

    View Slide

  110. DISCLOSURE
    ● We raised an issue to the vendor via email
    ○ Their vulnerability team acknowledge to our report
    ● Trend Micro ask for further information
    ○ Very responsive vendor
    ● Within 2-3 weeks, the fix was shipped
    ○ According to vendor, they will ship fix by end of October 2019

    View Slide

  111. VULNERABILITY #1 - MULTIPLE VULNERABILITIES
    ● There are two different vulnerabilities found in Trend Micro Pay Guard program.
    ○ The first issue found is NULL pointer dereference and insecure library loading.
    ● In our testing, the vulnerability needs to be chained in order to achieve NULL pointer dereference.
    ○ There’s a way we can achieve code execution via DLL hijacking but we have limited time to do it.
    ● Initial assessment found the Trend Micro Pay Guard was installed as shortcut in Desktop. The shortcut
    is basically calling another executable from Trend Micro installation folder
    ● Launching the shortcut, we can see it call “uiProtectedBrowser.exe” and immediately uses Internet
    Explorer as the browser.
    ○ Internet Explorer is hooked by the Trend Micro program and used the ToolbarIE.dll in the browser
    "C:\Program Files\Trend Micro\Titanium\ShorcutLauncher.exe" -OpenPB

    View Slide

  112. VULNERABILITY #1 - MULTIPLE VULNERABILITIES
    ● We found out the IE itself is trying to load non-existing DLL from Desktop path
    ○ We try to confirm on a different machine to see if it is a 0-day in IE itself or the problem with the
    Trend Micro program LOL~
    ● We crafted a dummy DLL to see if it gets loaded, rename it as in the screenshot filename and dropped it
    at Desktop folder.
    ○ DLL failed to load leads to NULL pointer dereference.

    View Slide

  113. VULNERABILITY #1 - MULTIPLE VULNERABILITIES
    ● We figure out it failed to load the DLL and resulting to crash the browser. We observe the program will
    keep looping for crashing if uiProtectedBrowser.exe program is not kill

    View Slide

  114. ● Further investigation found the root cause from ToolbarIE.dll. Resulting crash from
    “ToolbarIE!DllUnregisterServer+0x000114a5” where it failed to unregister the loaded DLL that leads to
    NULL pointer dereference
    VULNERABILITY #1 - MULTIPLE VULNERABILITIES

    View Slide

  115. AhnLab V3 Lite
    -DAY DEMO #1

    View Slide

  116. K7 Antivirus Premium
    -DAY DEMO #2

    View Slide

  117. -DAY DEMO #3
    Avira Free Antivirus + Opera Browser

    View Slide

  118. -DAY DEMO #4
    Panda Dome

    View Slide

  119. CONCLUSION
    05

    View Slide

  120. REVIEW OF THE FINDINGS
    Draw some
    attention to
    the Antivirus
    security issue
    Everyone is
    using
    Antivirus,
    either
    organizations
    or individual
    It might looks
    like nothing,
    but the impact
    is large
    Vulnerability is
    everywhere

    View Slide

  121. FOR YOU!
    Keep auditing
    Reward bounty and credits
    Perform large scale of fuzzing
    Focus on offensive research
    VENDORS CONSUMERS
    We know it is still relevant, but don't put
    so much hope
    Shoot your vendor, if it failed to protect
    you
    Careful on what you scan, you might
    end up "pass-the-malware"
    For business, avoid delaying AV
    signature

    View Slide

  122. THANK YOU!
    Find us on
    https://twitter.com/zeifan
    https://twitter.com/iamyeh
    Blog
    https://nafiez.github.io
    Shout out to
    - POC Organizer
    - KLKS (for review and advise)

    View Slide